Snaffler

The tool Snaffler is made for penetration testers and red team members to find important data (credentials and more) in sizable Windows/Active Directory setups. It is designed as a tool for finding sensitive material in a data haystack rather than as a "audit" tool.

Snaffler is a utility designed for penetration testers and red team professionals to uncover valuable information, including credentials and other sensitive data, within extensive Windows and Active Directory environments. Unlike an audit tool, Snaffler's primary purpose is to help identify sensitive information within a vast amount of data, making it a valuable resource for security assessments and red team engagements.

Features

  • Retrieves from Active Directory a list of Windows PCs.
  • Finds file sharing on computers and assesses your ability to read them.
  • Enumerates the files in shares and uses heuristic analysis to locate information that could be useful.
  • Classifies files using regex patterns and basic matching.
  • Creates logs containing information about files found, including context information.
  • Allows for the creation of custom rule sets for more focused scanning.

Usage

 

Key Incantations (Command Line Options)

·        -o: Enables outputting results to a file.

·        -s: Enables outputting results to std out as soonas they're found.

·        -v: Controls verbosity level (options: Trace,Debug, Info, Data).

·        -m: Enables and assigns an output directory for Snaffler to automatically copy found files.

·        -l: Maximum size of files (in bytes) to copy.

·        -i: Disables computer and share discovery,requires a path to a directory for file discovery.

·        -n: Disables computer discovery, takes a comma-separated list of hosts for share and file discovery.

·        -y: TSV-formats the output.

·        -b: Skips less-interesting rules (tune with a number between 0 and 3).

·        -f: Limits Snaffler to finding file shares via DFS.

·        -a: Skips file enumeration, provides a list ofli stable shares on target hosts.

·        -u: Pulls a list of account names from AD,selects interesting ones, and uses them in a search rule.

·        -d: Domain to search for computers to search for shares on to search for files in.

·        -c: Domain controller to query for the list of domain computers.

·        -r: Maximum size file (in bytes) to search inside for interesting strings.

·        -j: How many bytes of context either side offound strings in files to show.

·        -z: Path to a config file that defines various settings.

Config File Generation

Run snaffler.exe -z generate to generate a sample TOML config file called default.toml.

Edit the generated config file to customize settings.

Rulesets

  • Comes     with default rulesets (in TOML format) for file classification.
  • Users     can customize or create their own rulesets to tailor Snaffler to their     needs.

Example Rule:

[[ClassifierRules]]

EnumerationScope ="FileEnumeration"

RuleName ="KeepExtExactBlack"

MatchAction = "Snaffle"

MatchLocation ="FileExtension"

WordListType = "Exact"

WordList = [".kdbx",".kdb", ".ppk", ".vmdk", ".vhdx",".ova", ".ovf", ".psafe3", ".cscfg",".kwallet", ".tblk", ".ovpn", ".mdf",".sdf", ".sqldump"]

Triage = "Black"

Table of Contents: